3

How do you setup a single Apache2 config to host multiple HTTPS sites each on their own IP address? There will also be multiple HTTP sites on just a single IP address.

I do not want to use Server Name Indication (SNI) as described here, and I'm only concerned with the important top-level Apache directives. That is, I just need to know the skeleton of how my config should look.

The basic setup looks like this:

Hosted on 1.1.1.1:80 (HTTP)
  - example.com
  - example.net
  - example.org
Hosted on 2.2.2.2:443 (HTTPS)
  - secure.com
Hosted on 3.3.3.3:443 (HTTPS)
  - secure.net
Hosted on 4.4.4.4:443 (HTTPS)
  - secure.org

And here are the important config directives I have so far, which is the closest I've come to a working iteration, but still no dice. I know I'm close, just need a little push in the right direction.

Listen 1.1.1.1:80
Listen 2.2.2.2:443
Listen 3.3.3.3:443
Listen 4.4.4.4:443

NameVirtualHost 1.1.1.1:80
NameVirtualHost 2.2.2.2:443
NameVirtualHost 3.3.3.3:443
NameVirtualHost 4.4.4.4:443

# HTTP VIRTUAL HOSTS:

<VirtualHost 1.1.1.1:80>
    ServerName example.com
    DocumentRoot /home/foo/example.com
</VirtualHost>

<VirtualHost 1.1.1.1:80>
    ServerName example.net
    DocumentRoot /home/foo/example.net
</VirtualHost>

<VirtualHost 1.1.1.1:80>
    ServerName example.org
    DocumentRoot /home/foo/example.org
</VirtualHost>

# HTTPS VIRTUAL HOSTS:

<VirtualHost 2.2.2.2:443>
    ServerName secure.com
    DocumentRoot /home/foo/secure.com
    SSLEngine on
    SSLCertificateFile /home/foo/ssl/secure.com.crt
    SSLCertificateKeyFile /home/foo/ssl/secure.com.key
    SSLCACertificateFile /home/foo/ssl/ca.txt
</VirtualHost>

<VirtualHost 3.3.3.3:443>
    ServerName secure.net
    DocumentRoot /home/foo/secure.net
    SSLEngine on
    SSLCertificateFile /home/foo/ssl/secure.net.crt
    SSLCertificateKeyFile /home/foo/ssl/secure.net.key
    SSLCACertificateFile /home/foo/ssl/ca.txt
</VirtualHost>

<VirtualHost 4.4.4.4:443>
    ServerName secure.org
    DocumentRoot /home/foo/secure.org
    SSLEngine on
    SSLCertificateFile /home/foo/ssl/secure.org.crt
    SSLCertificateKeyFile /home/foo/ssl/secure.org.key
    SSLCACertificateFile /home/foo/ssl/ca.txt
</VirtualHost>

For what it's worth, I prefer to have each of my SSL sites on their own IP instead of including one of them on the primary VHOST IP. Any links which show a standard setup would be more than welcome!

Jeff
  • 1,406
  • 3
  • 26
  • 46
  • Looks fine, but feel free to drop the `NameVirtualHost ...:443` directives; you'd only want them if you were doing SNI. Can you clarify what problems or errors you're seeing? Did you do a full restart, not just a reload, of Apache? – Shane Madden Nov 23 '11 at 17:34
  • That sounds like a firewall problem. Can you connect to any of those IP addresses from your desktop on port 443 using a command like `telnet 4.4.4.4 443` ? – Ladadadada Nov 23 '11 at 18:10
  • No firewall set up on the machine yet. Telnet to each `IP PORT` works fine. I really thought it was something in my Apache config, but I will try out Shane's suggestions in a bit. – Jeff Nov 23 '11 at 18:13

1 Answers1

3

Restart Apache, don't reload. Newly configured SSL certs aren't loaded in on a reload.

Drop the NameVirtualHost ...:443 directives; you'd only want them if you were doing SNI.

And yeah, keep the NameVirtualHost 1.1.1.1:80 directive, your port 80 hosts need that for requests to be routed based on host header.

Jeff
  • 1,406
  • 3
  • 26
  • 46
Shane Madden
  • 112,982
  • 12
  • 174
  • 248
  • So the rest of my Apache config looks right to you? It looked right to me! Banging my head on this. I will go ahead and restart, plus remove the `NameVirtualHost ...:443`'s (when I get home). If all is well, you should see a big ole' green check mark next to your answer. – Jeff Nov 23 '11 at 18:11
  • 1
    @Jeff - Before you `restart` you can ask apache to do a `configtest` which will tell you if Apache doesn't like something about your config file's syntax. The `apachectl` utility that comes with Apache can do this, and most systems' init scripts will also take `configtest` as a directive. – voretaq7 Nov 23 '11 at 18:23
  • @voretaq7, `configtest` was done and reported my config files are OK. Was wondering about the common `/home/foo/ssl/ca.txt`. I don't think that's the problem, though. Isn't that just a Certificate Authority list? Again, I appreciate the help, and I'll be able to try all this when I get home. – Jeff Nov 23 '11 at 18:42
  • That is indeed just a CA list. I believe you can set that in the global context as well so you don't have to repeat it, but double-check the Apache documentation to be sure. – voretaq7 Nov 23 '11 at 18:46
  • To summarize this question, everyone thinks my Apache config looks fine, so I will make the change suggested by Shane in his first comment above and restart Apache. If it works, I'll edit his answer to reflect the change and mark it correct. Thanks again. – Jeff Nov 23 '11 at 19:11